o ?hLI@sNdZddlZddlmmZddlZddlZddl m Z ej j ddZ ej j ddZej j dd Zej j d d Zej j d d Zej j ddZej j ddZej j ddZej j ddZej j ddZej j ddZej j ddZej j ddZej j ddZej j d d!Zej j d"d#Zej j d$d%ZdS)&a test_auth.py Purpose: Comprehensive test suite for authentication functionality including login, logout, rate limiting, session management, and CSRF protection. Test Categories: - Successful login with valid credentials - Failed login with invalid credentials - Logout functionality and session clearing - Rate limiting enforcement per user and IP - Session management and security Nget_dbcCs|}|d}|jd|d|ddd}|j}d}||k}|sUtd|fd ||fd tvs6t|r;t|nd t|t|d } d d | i} t t | d}}}|j }|j }d} || } | sdd tvsut|rzt|nd t|t|t| t| d} t t | d}}} } | d}|j}d}||k}|std|fd ||fd tvst|rt|nd t|t|d } d d | i} t t | d}}}dS)z=Test successful login with valid credentials via POST /login.regular/loginusernamepasswordrrdata.==z3%(py2)s {%(py2)s = %(py0)s.status_code } == %(py5)sresponsepy0py2py5assert %(py7)spy7N/selecthassert %(py8)s {%(py8)s = %(py4)s {%(py4)s = %(py2)s {%(py2)s = %(py0)s.location }.endswith }(%(py6)s) }rrpy4py6py8) test_clientpost status_code @pytest_ar_call_reprcompare @py_builtinslocals_should_repr_global_name _safereprAssertionError_format_explanationlocationendswithget)app test_usersclear_rate_limitsclientuserr @py_assert1 @py_assert4 @py_assert3 @py_format6 @py_format8 @py_assert5 @py_assert7 @py_format9r8+/var/www/html/tests/functional/test_auth.py'test_successful_login_valid_credentialss  r:cCs|}|jddddd}|j}d}||k}|sMtd|fd||fd tvs.t|r3t|nd t|t|d }d d |i} t t | d }}}|j }|j }d} || } | sdd tvsmt|rrt|nd t|t|t| t| d} t t | d }}} } | d}|j}d}||k}|std|fd||fd tvst|rt|nd t|t|d }d d |i} t t | d }}}g}d} |j}| |v}|}|sd}|j}||v}|}|s}td|fd| |ft| d tvst|rt|nd t|d} dd| i}|||shtd|fd||ft|d tvsOt|rTt|nd t|d}dd|i}||t|di}dd|i}t t |d }}} }}}}}d S) z(Test failed login with invalid username.rnonexistentuser anypasswordrr r r rrrrrN/rrrPogrekorisniinz,%(py3)s in %(py7)s {%(py7)s = %(py5)s.data }py3rr%(py9)spy9z0%(py12)s in %(py16)s {%(py16)s = %(py14)s.data }py12py14py16%(py18)spy18assert %(py21)spy21rrrr r!r"r#r$r%r&r'r(r)r*r append_format_boolop)r+r,r-r.rr0r1r2r3r4r5r6r7 @py_assert2 @py_assert6 @py_assert0 @py_assert11 @py_assert15 @py_assert13 @py_format10 @py_format17 @py_format19 @py_format20 @py_format22r8r8r9"test_failed_login_invalid_username,s  `r_cCs,|}|d}|jd|dddd}|j}d}||k}|sStd|fd ||fd tvs4t|r9t|nd t|t|d } d d | i} t t | d}}}|j }|j }d} || } | sdd tvsst|rxt|nd t|t|t| t| d} t t | d}}} } | d}|j}d}||k}|std|fd ||fd tvst|rt|nd t|t|d } d d | i} t t | d}}}g}d}|j}||v}|}|sd}|j}||v}|}|std|fd||ft|d tvst|r$t|nd t|d} dd| i}|||sotd|fd||ft|d tvsVt|r[t|nd t|d}dd|i}||t|di}dd |i}t t |d}}}}}}}}dS)!z(Test failed login with invalid password.limitedrr wrongpasswordrr r r rrrrrNr=rrrr>r?r@rBrCrErFrGrHrLrMrNrOrPrQ)r+r,r-r.r/rr0r1r2r3r4r5r6r7rTrUrVrWrXrYrZr[r\r]r^r8r8r9"test_failed_login_invalid_passwordAs  brbc Cs0|}|jddddd}|j}d}||k}|sMtd|fd||fdtvs.t|r3t|ndt|t|d }d d |i}t t |d }}}|j }|j }d } || } | sddtvsmt|rrt|ndt|t|t| t| d} t t | d }}} } d S)z)Test failed login with empty credentials.rrr r r rrrrrNr=rr) rrrr r!r"r#r$r%r&r'r(r)) r+r-r.rr0r1r2r3r4r5r6r7r8r8r9#test_failed_login_empty_credentialsWs rdcCsL||}|d}|jd|d|ddd}|j}d}||k}|sXtd|fd ||fd tvs9t|r>t|nd t|t|d } d d | i} t t | d}}}| d}|j}d}||k}|std|fd ||fd tvst|rt|nd t|t|d } d d | i} t t | d}}}| } | dd} Wdn1swY|jdd| id}|j}d}||k}|s td|fd ||fd tvst|rt|nd t|t|d } d d | i} t t | d}}}|j }|j}d} || }|sOdd tvs.t|r3t|nd t|t|t| t|d}t t |d}}} }| d}|j}d}||k}|std|fd ||fd tvst|rt|nd t|t|d } d d | i} t t | d}}}dS)z@Test logout functionality via POST /logout and session clearing.adminrrrrr r r rrrrrNrr csrf_tokenrc/logoutr=rr)rrrr r!r"r#r$r%r&r'r*session_transactionr(r))r+r,r-r.r/rr0r1r2r3r4sessrfr5r6r7r8r8r9test_logout_functionalitygs$    rjc CsR|}|d}|jd|d|ddd}|j}d}||k}|sUtd|fd ||fd tvs6t|r;t|nd t|t|d } d d | i} t t | d}}}| d}|j}ddg}||v}|std|fd||fd tvst|rt|nd t|t|d } d d | i} t t | d}}}dS)z3Test that GET /logout is not supported (only POST).rrrrrr r r rrrrrNrgiir@)z3%(py2)s {%(py2)s = %(py0)s.status_code } in %(py5)s) rrrr r!r"r#r$r%r&r'r*) r+r,r-r.r/rr0r1r2r3r4r8r8r9%test_logout_get_request_not_supporteds  rkcCs||}ddl}ddlm}|3|}|dd|d}ddl }dt | }| d||df} | Wdn1sKwY|j d |dd d } | j} d } | | k} | std | fd| | fdtvszt| rt| ndt| t| d}dd|i}tt|d} } } tdD]L}|d} | j} d} | | k} | std | fd| | fdtvst| rt| ndt| t| d}dd|i}tt|d} } } qdS)z7Test that session persists across requests after login.rNrtestpassutf-8 sessionuser_FINSERT INTO users (username, password_hash, is_admin) VALUES (?, ?, ?)Frrr r r rrrrrrr)rbcryptapp_modules.dbr app_contexthashpwencodegensaltdecodetimeintexecutecommitrrr r!r"r#r$r%r&r'ranger*)r+r-r.rqrdbtest_password_hashrxunique_usernamecursorrr0r1r2r3r4ir8r8r9test_session_managements0       rc Cs|}ddg}|D]L}||}|j}d}||k}|sPtd|fd||fdtvs1t|r6t|ndt|t|d} dd | i} t t | d }}}q d S) z5Test that protected endpoints require authentication.r /dodaj-kamerur r rrrrrN) rr*rr r!r"r#r$r%r&r') r+r-r.protected_endpointsendpointrr0r1r2r3r4r8r8r9/test_protected_endpoints_require_authentications rc Cs$|}|d}|jd|d|ddd}|j}d}||k}|sUtd|fd ||fd tvs6t|r;t|nd t|t|d } d d | i} t t | d}}}|jdid}|j}d}||k}|std|fd ||fd tvst|rt|nd t|t|d } d d | i} t t | d}}}| } | dd} Wdn1swY|jdd| id}|j}d}||k}|s td|fd ||fd tvst|rt|nd t|t|d } d d | i} t t | d}}}dS)z(Test CSRF protection on logout endpoint.rrrrrr r r rrrrrNrgrfrc rrrr r!r"r#r$r%r&r'rhr* r+r,r-r.r/rr0r1r2r3r4rirfr8r8r9test_csrf_protection_on_logouts  rcCs|}|d}|j}d}||k}|sHtd|fd||fdtvs)t|r.t|ndt|t|d}dd|i}t t |d }}}| } | d } d } | | u}|std |fd | | fd tvsut| rzt| nd t| d } dd| i}t t |d }} t | } d} | | k}|std|fd| | fdtvstt rtt ndd tvst| rt| nd t| t| d}dd|i}t t |d } }} Wd d S1swYd S)z:Test that CSRF tokens are properly generated and injected.r=rr rrrrrNrfis notz%(py0)s is not %(py3)srrDassert %(py5)sr)>)z/%(py3)s {%(py3)s = %(py0)s(%(py1)s) } > %(py6)slenrpy1rDrassert %(py8)sr) rr*rr r!r"r#r$r%r&r'rhr)r+r-r.rr0r1r2r3r4rirfrT @py_format4r5 @py_format7r7r8r8r9test_csrf_token_generations   x"rc Cs|}|d}|jd|d|ddd}|j}d}||k}|sUtd|fd ||fd tvs6t|r;t|nd t|t|d } d d | i} t t | d}}}| } | dd} Wdn1spwY|jddddd}|j}d}||k}|std|fd ||fd tvst|rt|nd t|t|d } d d | i} t t | d}}}dS)z9Test CSRF protection on various state-changing endpoints.rerrrrr r r rrrrrNrfrcz/admin/add_user testuser123 testpass123rrrr8r8r9/test_csrf_protection_on_state_changing_requestss   rcCs|}|d}|t}|d|Wdn1s#wY|jd|d|ddd}|j}d }||k} | sutd | fd ||fd t vsVt |r[t |nd t |t |d } dd| i} t t| d}} }|t}|dd|df} t| } d}| |k}|std |fd| |fdt vst trt tnddt vst | rt | ndt | t |d}dd|i}t t|d} }}| d}|d}|d} || k} | std | fd|| ft |t | d}dd|i}t t|d}} } |d}d} || u} | sStd| fd || ft |t | d}dd|i}t t|d}} } |d!}d} || k} | std | fd|| ft |t | d}dd|i}t t|d}} } Wdn 1swY|}|jd|dd"dd}|j}d }||k} | std | fd ||fd t vst |rt |nd t |t |d } dd| i} t t| d}} }|t}|dd#|df} t| } d}| |k}|satd |fd| |fdt vs/t tr4t tnddt vsBt | rGt | ndt | t |d}dd|i}t t|d} }}| d}|d}|d} || k} | std | fd|| ft |t | d}dd|i}t t|d}} } |d!}d#} || k} | std | fd|| ft |t | d}dd|i}t t|d}} } WddS1swYdS)$z4Test that authentication events are properly logged.r`zDELETE FROM auth_logNrrrrr r r rrrrrz7SELECT * FROM auth_log WHERE event = ? AND username = ? login_successrN)z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } == %(py6)srlogsrrrr)z%(py1)s == %(py4)srrassert %(py6)sruser_idr)z%(py1)s is not %(py4)seventra login_failure)rrsrrzr{rrr r!r"r#r$r%r&r'fetchallr)r+r,r-r.r/r}rr0r1r2r3r4rrTr5rr7logrV @py_format5client_2r8r8r9!test_authentication_event_logging#sV      pln    pn$rcCs|}|d}|d}|j}d}||k}|sLtd|fd||fdtvs-t|r2t|ndt|t|d} dd | i} t t | d }}}| } | d d } Wd n1sgwY|j d |d|ddd}|j}d}||k}|std|fd||fdtvst|rt|ndt|t|d} dd | i} t t | d }}}| J} | d} d }| |u}|std|fd| |fdtvst| rt| ndt|d}dd|i} t t | d }}Wd n 1swY|d}|j}d}||k}|s]td|fd||fdtvs>t|rCt|ndt|t|d} dd | i} t t | d }}}| N} | d d }d }||k}|std|fd||fdtvst|rt|ndt|d}dd|i} t t | d }}Wd d S1swYd S)zFTest that session is regenerated on login to prevent session fixation.rr=rr rrrrrNrfrcrrrrr r rrrlogged_in_user_idrrrr!=)z%(py0)s != %(py3)scsrf_token_after_login) rr*rr r!r"r#r$r%r&r'rhr)r+r,r-r.r/rr0r1r2r3r4riinitial_csrf_tokenrrTrrr8r8r9"test_session_regeneration_on_loginUs,     |   $rcCsx|d}|}|}|jd|d|ddd}|j}d}||k} | sYtd| fd ||fd tvs:t|r?t|nd t|t|d } d d | i} t t | d}} }|jd|d|ddd} | j}d}||k} | std| fd ||fdtvst| rt| ndt|t|d } d d | i} t t | d}} }| d}|j}d}||k} | std| fd ||fd tvst|rt|nd t|t|d } d d | i} t t | d}} }| d} | j}d}||k} | sCtd| fd ||fdtvs$t| r)t| ndt|t|d } d d | i} t t | d}} }| } | dd}Wdn 1s_wY|jdd|id| d} | j}d}||k} | std| fd ||fdtvst| rt| ndt|t|d } d d | i} t t | d}} }dS)z@Test handling of multiple concurrent sessions for the same user.rerrrrr r r r response1rrrN response2rrrfrcrg) rrrr r!r"r#r$r%r&r'r*rh)r+r,r-r/client1client2rr0r1r2r3r4rri csrf_token1r8r8r9!test_multiple_concurrent_sessionszs.      rc Cs*|}|d}|jd|d|ddd}|j}d}||k}|sUtd|fd ||fd tvs6t|r;t|nd t|t|d } d d | i} t t | d}}}ddg} | D]} | | }g}|j}d} || k}|}|s|j }|j }d}||}| }|}|std|fd|| fd tvst|rt|nd t|t| d} dd| i}|||sdd tvst|rt|nd t|t|t|t|d}||t|di}dd|i}t t |d}}}}} }}}}}qadS)zBTest that authenticated session persists across multiple requests.r`rrrrr r r rrrrrNrrr=r)z3%(py4)s {%(py4)s = %(py2)s.status_code } != %(py7)s)rrrrErFzmnot %(py19)s {%(py19)s = %(py15)s {%(py15)s = %(py13)s {%(py13)s = %(py11)s.location }.endswith }(%(py17)s) })py11py13py15py17py19rNzassert %(py23)spy23)rrrr r!r"r#r$r%r&r'r*r(r)rRrS)r+r,r-r.r/rr0r1r2r3r4protected_urlsurlrUr5rV @py_assert12 @py_assert14 @py_assert16 @py_assert18 @py_assert20rZ @py_format21r^ @py_format24r8r8r9(test_session_persistence_across_requestss  XrcCs |}ddl}ddlm}|3|}|dd|d}ddl }dt | }| d||df} | Wdn1sHwYt d D]Q} |jd |d d d } | j} d} | | k}|std|fd| | fdtvs}t| rt| ndt| t| d}dd|i}tt|d} }} qQ|T|}| d|f}|r|d}d }||k}|std|fd||ft|t|d}dd|i}tt|d}}}WddSWddS1swYdS)z6Test comprehensive rate limiting enforcement per user.rNrrlrmratelimituser_roFrrarr r r rrrrrz8SELECT fail_count FROM login_attempts WHERE username = ? fail_count>=)z%(py1)s >= %(py4)srrr)rrqrrrrsrtrurvrwrxryrzr{r|rrr r!r"r#r$r%r&r'fetchone)r+r-r.rqrr}r~rxrrrrr0r1r2r3r4attemptsrVrTrrr8r8r9)test_rate_limiting_per_user_comprehensivesB      l"rc Cs@|}ddl}ddlm}ddl}|@|}|dd| d}g}t dD]} dt |d| } | d | |d f} | | q.|Wdn1sYwYg} |D](} t dD]}|jd | d d d}| |j|jdkrnqh| ddkrnqbg}d}|| v}|}|sd}|| v}|}|std|fd|| ft|dtvst| rt| ndd}dd|i}| ||std|fd|| ft|dtvst| rt| ndd}dd|i}| |t|di}dd|i}tt|d}}}}}}|o|}| d}t|}d}||k}|std |fd!||fd"tvsUttrZttnd"d#tvsht|rmt|nd#t|t|d$}d%d&|i}tt|d}}}WddS1swYdS)'z.Test rate limiting enforcement per IP address.rNrrlrmrpipuser__roFrrarr ir r@)z%(py3)s in %(py5)s responses)rDrz%(py7)sr)z%(py10)s in %(py12)s)py10rIz%(py14)srJrNzassert %(py17)srzSELECT * FROM login_ip_attemptsr)z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } >= %(py6)sr ip_attemptsrrr)rrqrrrrxrsrtrurvrwr|ryrzrRr{rrr r!r%r"r#r$rSr&r'rr) r+r-r.rqrrxr}r~usersrrrrrjrr0rTr1rV @py_assert9rWr3r4 @py_format13 @py_format15 @py_format16 @py_format18rr5rr7r8r8r9test_rate_limiting_per_ipsL         0 $r)__doc__builtinsr"_pytest.assertion.rewrite assertionrewriter pytestrxrrrmarkauthr:r_rbrdrjrkrrrrrrrrrrrr8r8r8r9sL"      %  %     1 $ (  ,